Re: [v6ops] Off topic: Teredo sunset -- Re: [EXTERNAL] Re: Improving ND security

Joseph Touch <> Mon, 03 August 2020 22:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 07D1E3A1144 for <>; Mon, 3 Aug 2020 15:52:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.454
X-Spam-Status: No, score=0.454 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.652, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sKFAQaEfXWno for <>; Mon, 3 Aug 2020 15:52:51 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D48AF3A1143 for <>; Mon, 3 Aug 2020 15:52:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=To:References:Message-Id: Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:Mime-Version: Content-Type:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=58GpQPUG0mSUpoy92pYC62Xt8PcU3JFkdYRLmzAyW5Q=; b=Tvisef+o1HCEY1QKodPGa9yyM pySaoQq52fZYOS9jnAAVYFPZpG2DVpHZMMzwRuTf6HaZQ1X29lj77MOeA+puzIZpmvP/u+KC6wkqA l8eYNImyLdWmRQ7NGlmGTl553rUmpqsEA6KwFA6BWfnGZjca3EbkOYhuBDzdix7BOJmBCrNtKcJCV 1/Q5ST/cwDVhQF0GaZDRqcwpTPBHZ9bvpcy3qh3f5xVWEsRXqq+M9jNFZNW6v2KQrkxB2YTiHB7DW 6gk3WUOTn5npZvO2cjRFT5avDVpdNU+V6Y0XHHB+w1aQJeyBm2olu6KHmGFipqAnHpXleWRxiJlGN bZrjE/sWQ==;
Received: from ([]:63112 helo=[]) by with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from <>) id 1k2jJx-0044mx-8F; Mon, 03 Aug 2020 18:52:47 -0400
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
From: Joseph Touch <>
In-Reply-To: <>
Date: Mon, 3 Aug 2020 15:52:40 -0700
Cc: =?utf-8?Q?Lencse_G=C3=A1bor?= <>, "" <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <> <> <>
To: "Templin (US), Fred L" <>
X-Mailer: Apple Mail (2.3608.
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Get-Message-Sender-Via: authenticated_id:
X-From-Rewrite: unmodified, already matched
Archived-At: <>
Subject: Re: [v6ops] Off topic: Teredo sunset -- Re: [EXTERNAL] Re: Improving ND security
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 03 Aug 2020 22:52:53 -0000

> On Aug 3, 2020, at 3:24 PM, Templin (US), Fred L <> wrote:
> Perhaps gone, but not forgotten - RFC4380 is still a proposed standard and
> specifies a UDP/IP encapsulation format that can be adopted by other service
> specifications. The other services are easily distinguished from Teredo through
> the use of a service-specific IANA-assigned UDP port number.

Thanks for the segue. Fred brought this issue to my attention recently and we addressed it in a presentation at TSVWG last week on UDP options.

RFC4380 makes some claims about “consistency” between UDP length and IP length - without defining the term. *IF* that means that the two point to the same “end of packet”, then it would prohibit use of UDP options as they’re now being defined.

RFC6081 goes further and tries to explicitly define “consistency” as per above (which it should not - esp. because it never updated RFC 768 or RFC 1122 accordingly) *AND* introduces another variant where the IP length undershoots the UDP length “end”, which is nonsensical esp. because it would interact badly with IP devices (which couldn’t forward the UDP overshoot without parsing into the UDP packet to process IP).

This will be discussed in the pending updated UDP options text, but the intent is to correct these errors (i.e., UDP length can “undershoot” the IP length, which is where UDP options go, and can never overshoot as per RFC6081).